Scrap passwords. But then what? How can you prove that you are the legitimate user of a digital identity if you do not use a password?
As a rule, we use the following sequence to log in:
By identification, you make it known who you are. Or in fact, you say which identity you will use for an information system or website. First, you say what your identity is or which identity you will use. There is no proof of identity. When I log in I can say that I am the king.
To prevent me being given the rights of the king, first I have to prove that I am the king. How do I do this? I tell the login function something that only the king can know – a password. Or something that only the king has, for example a ‘token’. Or else a physiological characteristic that is inherent to the king and that cannot be copied or forged.
Should the login function determine that I, as the person logging in, indeed have access to the proof that I am the king, then I will have the rights of the king. Easy. I have actually just talked about the different options. In our sector, we talk about:
The ultimate proof is a combination of knowledge and possession, or knowledge and biometry. This is strengthened authentication, two-factor (2FA) authentication or multi-factor authentication. In other words, a token with a pin code. Or a smartphone with a pin code. Or a token with pin code combined with a fingerprint. Or anything else…
In previous blogs, I have talked about the problems of passwords. But there is help: password management systems: tools in which you can save your passwords to sites. A password manager can both generate difficult passwords and manage them for you, so that you do not need to remember them or write them down. But you do need to protect the password manager with a master password. If you manage the tool’s master password well, you will only need to remember that one password. The tool will log in for you on the site you wish to visit. If done properly, the passwords are far safer than any password that you yourself could come up with.
And now it gets really exciting. Over the past few weeks, a discussion started on the Internet about how safe a password manager is. Is this type of solution safer than managing passwords yourself? And could there even be multi-factor authentication when using, for example, Google Authenticator (a text message code security function)? These questions are outlined on this blog.
A discussion for aficionados also started on social media and is described in this blog by Nishant Kaushik. An interesting question is: when is 2FA really 2FA? And what if you unlock your password manager with an app?
If we go back to the basics, what, in essence, are the differences in security level of the three factors: know, have, are?
Copying and sharing
You can copy and share a password or something you know. It’s easy: just write down the password or give it to someone else. But in any case, it means that there is absolutely no guarantee that the person who knows the password of an account is also the original owner of that account. I am not talking about the actual user, as the original owner may of course always make his/her property available to others. Even if that is not permitted.
Possessing a piece of evidence gives you greater security about the legitimacy of the use of an identity. Not much more, but still a little more security. You can always give something you have to some else, but if it is properly secured, it cannot be copied so that only one person at a time can use that piece of evidence.
The latter piece of evidence is something that is inherent, that is, a part of the owner of the identity. We are talking about biometric characteristics such as fingerprints, iris patterns or voices. This type of evidence cannot be shared and it cannot be copied. At least, not without damaging the individual. If you have read the book ‘I am Pilgrim’ by Terry Hayes, you will know the consequences…
In short, in my view the discussion about 2FA may be interesting, but is less relevant for most environments. It is, in any case, a good discussion point and one that few people have even heard of.
As long as we work with passwords, the level of security will be mediocre. The use of a ‘determining factor’ as evidence, i.e., not something that you know, already delivers significant improvement. And sometimes an app (with a pin code) on a smartphone (which you already have) meets the demand.
Andre Koot (advisory board member IDnextplatform)